aboutsummaryrefslogtreecommitdiff
path: root/id/ConfigWebTool/src/main/java/at/gv/egovernment
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2016-01-19 16:08:12 +0100
committerThomas Lenz <tlenz@iaik.tugraz.at>2016-01-19 16:08:12 +0100
commitee54508b4bc802587c59d67548b20a770110262c (patch)
tree89e25c70242f0ece888ebc6990a1b4f27db3169b /id/ConfigWebTool/src/main/java/at/gv/egovernment
parenta6bdd89c393ca777b484ab2385975db740096c56 (diff)
downloadmoa-id-spss-ee54508b4bc802587c59d67548b20a770110262c.tar.gz
moa-id-spss-ee54508b4bc802587c59d67548b20a770110262c.tar.bz2
moa-id-spss-ee54508b4bc802587c59d67548b20a770110262c.zip
add Single LogOut request signature validation to moa-id-configuration
Diffstat (limited to 'id/ConfigWebTool/src/main/java/at/gv/egovernment')
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/PVPSOAPRequestSecurityPolicy.java92
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBackChannelServlet.java64
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java4
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOFrontChannelServlet.java10
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java5
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/utils/SAML2Utils.java20
6 files changed, 163 insertions, 32 deletions
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/PVPSOAPRequestSecurityPolicy.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/PVPSOAPRequestSecurityPolicy.java
new file mode 100644
index 000000000..a25cc44ef
--- /dev/null
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/PVPSOAPRequestSecurityPolicy.java
@@ -0,0 +1,92 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.configuration.auth.pvp2;
+
+import java.util.List;
+
+import javax.xml.namespace.QName;
+
+import org.opensaml.common.SignableSAMLObject;
+import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
+import org.opensaml.ws.soap.soap11.Envelope;
+import org.opensaml.xml.XMLObject;
+import org.opensaml.xml.signature.SignatureTrustEngine;
+
+import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider;
+import at.gv.egovernment.moa.id.protocols.pvp2x.validation.AbstractRequestSignedSecurityPolicyRule;
+
+/**
+ * @author tlenz
+ *
+ */
+public class PVPSOAPRequestSecurityPolicy extends
+ AbstractRequestSignedSecurityPolicyRule {
+
+ /**
+ * @param trustEngine
+ * @param peerEntityRole
+ */
+ public PVPSOAPRequestSecurityPolicy(SignatureTrustEngine trustEngine,
+ QName peerEntityRole) {
+ super(trustEngine, peerEntityRole);
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.validation.AbstractRequestSignedSecurityPolicyRule#refreshMetadataProvider(java.lang.String)
+ */
+ @Override
+ protected boolean refreshMetadataProvider(String entityID) {
+ try {
+ HTTPMetadataProvider metadataProvider = ConfigurationProvider.getInstance().getMetaDataProvier();
+ metadataProvider.setRequireValidMetadata(true);
+ metadataProvider.refresh();
+
+ return true;
+
+ } catch (Exception e) {
+
+
+ }
+
+ return false;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.validation.AbstractRequestSignedSecurityPolicyRule#getSignedSAMLObject(org.opensaml.xml.XMLObject)
+ */
+ @Override
+ protected SignableSAMLObject getSignedSAMLObject(XMLObject inboundData) {
+ if (inboundData instanceof Envelope) {
+ Envelope envelope = (Envelope) inboundData;
+ if (envelope.getBody() != null) {
+ List<XMLObject> xmlElemList = envelope.getBody().getUnknownXMLObjects();
+ if (!xmlElemList.isEmpty() && xmlElemList.get(0) instanceof SignableSAMLObject)
+ return (SignableSAMLObject) xmlElemList.get(0);
+
+ }
+ }
+
+ return null;
+ }
+
+}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBackChannelServlet.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBackChannelServlet.java
index cff08740b..17d3d9e50 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBackChannelServlet.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBackChannelServlet.java
@@ -40,6 +40,7 @@ import org.opensaml.saml2.core.LogoutRequest;
import org.opensaml.saml2.core.LogoutResponse;
import org.opensaml.ws.message.decoder.MessageDecodingException;
import org.opensaml.ws.message.encoder.MessageEncodingException;
+import org.opensaml.ws.soap.client.BasicSOAPMessageContext;
import org.opensaml.ws.soap.soap11.Envelope;
import org.opensaml.ws.soap.soap11.decoder.http.HTTPSOAP11Decoder;
import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
@@ -49,10 +50,12 @@ import org.opensaml.xml.parse.BasicParserPool;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter;
import org.opensaml.xml.security.x509.X509Credential;
+import org.opensaml.xml.validation.ValidationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import at.gv.egovernment.moa.id.config.webgui.exception.ConfigurationException;
+import at.gv.egovernment.moa.id.configuration.auth.pvp2.PVP2Utils;
/**
* @author tlenz
@@ -77,25 +80,44 @@ public class SLOBackChannelServlet extends SLOBasicServlet {
try {
HTTPSOAP11Decoder soapDecoder = new HTTPSOAP11Decoder(new BasicParserPool());
- BasicSAMLMessageContext<SAMLObject, ?, ?> messageContext =
- new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
- messageContext
- .setInboundMessageTransport(new HttpServletRequestAdapter(
- request));
+
+ BasicSOAPMessageContext messageContext = new BasicSOAPMessageContext();
+
+// BasicSAMLMessageContext<SAMLObject, ?, ?> messageContext =
+// new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
+
+ messageContext.setInboundMessageTransport(new HttpServletRequestAdapter(request));
+
+ //messageContext.setMetadataProvider(getConfig().getMetaDataProvier());
+
+ //set trustPolicy
+// BasicSecurityPolicy policy = new BasicSecurityPolicy();
+// policy.getPolicyRules().add(
+// new PVPSOAPRequestSecurityPolicy(
+// PVP2Utils.getTrustEngine(getConfig()),
+// IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
+// SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver(
+// policy);
+// messageContext.setSecurityPolicyResolver(resolver);
soapDecoder.decode(messageContext);
-
+
Envelope inboundMessage = (Envelope) messageContext
.getInboundMessage();
+ LogoutResponse sloResp = null;
+
if (inboundMessage.getBody() != null) {
List<XMLObject> xmlElemList = inboundMessage.getBody().getUnknownXMLObjects();
-
- LogoutResponse sloResp;
+
if (!xmlElemList.isEmpty() && xmlElemList.get(0) instanceof LogoutRequest) {
LogoutRequest sloReq = (LogoutRequest) xmlElemList.get(0);
- sloResp = processLogOutRequest(sloReq, request);
+ //validate request signature
+ PVP2Utils.validateSignature(sloReq, getConfig());
+
+ sloResp = processLogOutRequest(sloReq, request);
+
KeyStore keyStore = getConfig().getPVP2KeyStore();
X509Credential authcredential = new KeyStoreX509CredentialAdapter(
keyStore,
@@ -111,24 +133,17 @@ public class SLOBackChannelServlet extends SLOBasicServlet {
context.setOutboundMessageTransport(responseAdapter);
encoder.encode(context);
-
+
} else {
log.warn("Received request ist not of type LogOutRequest");
response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
+ return;
}
}
- } catch (MessageDecodingException e) {
- log.error("SLO message processing FAILED." , e);
- response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
-
- } catch (SecurityException e) {
- log.error("SLO message processing FAILED." , e);
- response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
-
- } catch (NoSuchAlgorithmException e) {
- log.error("SLO message processing FAILED." , e);
+ } catch (MessageDecodingException | SecurityException | NoSuchAlgorithmException | ConfigurationException | ValidationException e) {
+ log.error("SLO message processing FAILED." , e);
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
} catch (CertificateException e) {
@@ -139,15 +154,14 @@ public class SLOBackChannelServlet extends SLOBasicServlet {
log.error("SLO message processing FAILED." , e);
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
- } catch (ConfigurationException e) {
- log.error("SLO message processing FAILED." , e);
- response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
-
} catch (MessageEncodingException e) {
log.error("SLO message processing FAILED." , e);
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
- }
+ }
+
+
+
}
protected void doGet(HttpServletRequest request,
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java
index 2a35e50b1..c70d34d7e 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java
@@ -131,13 +131,13 @@ public class SLOBasicServlet extends HttpServlet {
} else {
log.debug("Single LogOut not possible! User with nameID:" + sloReq.getNameID().getValue() + " is not found.");
- return createSLOResponse(sloReq, StatusCode.PARTIAL_LOGOUT_URI, request);
+ return createSLOResponse(sloReq, StatusCode.SUCCESS_URI, request);
}
}
- private LogoutResponse createSLOResponse(LogoutRequest sloReq, String statusCodeURI, HttpServletRequest request) throws NoSuchAlgorithmException {
+ protected LogoutResponse createSLOResponse(LogoutRequest sloReq, String statusCodeURI, HttpServletRequest request) throws NoSuchAlgorithmException {
LogoutResponse sloResp = SAML2Utils.createSAMLObject(LogoutResponse.class);
SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator();
sloResp.setID(gen.generateIdentifier());
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOFrontChannelServlet.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOFrontChannelServlet.java
index 8df7f9d5a..274aa21bf 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOFrontChannelServlet.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOFrontChannelServlet.java
@@ -69,7 +69,6 @@ import at.gv.egovernment.moa.id.configuration.auth.pvp2.PVP2Utils;
import at.gv.egovernment.moa.id.configuration.exception.PVP2Exception;
import at.gv.egovernment.moa.id.configuration.exception.SLOException;
import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper;
-import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
import at.gv.egovernment.moa.util.MiscUtil;
/**
@@ -99,8 +98,15 @@ public class SLOFrontChannelServlet extends SLOBasicServlet {
if (MiscUtil.isNotEmpty(request.getParameter(Constants.REQUEST_USERSLO))) {
//process user initiated single logout process
Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH);
+
+ if (authUserObj == null) {
+ log.warn("No user information found. Single Log-Out not possible");
+ buildErrorMessage(request, response);
+
+ }
+
AuthenticatedUser authUser = (AuthenticatedUser) authUserObj;
-
+
String nameIDFormat = authUser.getNameIDFormat();
String nameID = authUser.getNameID();
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java
index e2a55db60..ab6c22858 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java
@@ -54,6 +54,7 @@ import org.springframework.beans.factory.config.AutowireCapableBeanFactory;
import org.springframework.context.ApplicationContext;
import org.springframework.context.support.ClassPathXmlApplicationContext;
+import at.gv.egovernment.moa.id.commons.db.NewConfigurationDBRead;
import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException;
import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory;
import at.gv.egovernment.moa.id.config.webgui.MOAIDConfigurationModul;
@@ -65,8 +66,6 @@ import at.gv.egovernment.moa.id.configuration.utils.UserRequestCleaner;
import at.gv.egovernment.moa.util.FileUtils;
import at.gv.egovernment.moa.util.MiscUtil;
-import at.gv.egovernment.moa.id.commons.db.NewConfigurationDBRead;
-
public class ConfigurationProvider {
@@ -602,7 +601,7 @@ public class ConfigurationProvider {
} catch (Exception e) {
log.warn("PVP2 authentification can not be initialized.");
- throw new ConfigurationException("PVP2 authentification can not be initialized.", e);
+ throw new ConfigurationException("error.initialization.pvplogin", e);
}
}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/utils/SAML2Utils.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/utils/SAML2Utils.java
index fc310900e..eca4c05ef 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/utils/SAML2Utils.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/utils/SAML2Utils.java
@@ -94,6 +94,26 @@ public class SAML2Utils {
return document;
}
+// public static SignatureTrustEngine getSignatureKnownKeysTrustEngine() throws ConfigurationException {
+// MetadataCredentialResolver resolver;
+//
+// resolver = new MetadataCredentialResolver(ConfigurationProvider.getInstance().getMetaDataProvier());
+//
+// List<KeyInfoProvider> keyInfoProvider = new ArrayList<KeyInfoProvider>();
+// keyInfoProvider.add(new DSAKeyValueProvider());
+// keyInfoProvider.add(new RSAKeyValueProvider());
+// keyInfoProvider.add(new InlineX509DataProvider());
+//
+// KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(
+// keyInfoProvider);
+//
+// ExplicitKeySignatureTrustEngine engine = new ExplicitKeySignatureTrustEngine(
+// resolver, keyInfoResolver);
+//
+// return engine;
+//
+// }
+
}